docker-publish.yml

name: Docker Build and Sign
 
on:
  push:
    branches:
      - main
  workflow_dispatch:

permissions:
  packages: write
  contents: read

jobs:
  build-and-sign:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2

      - name: Log in to GitHub Container Registry
        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GHCR_PAT }}

      - name: Build Docker image
        run: |
          docker build -t ghcr.io/willcaton2350/python-rumble-bot:main -f Python-Rumble-Bot-Final/Dockerfile Python-Rumble-Bot-Final/

      - name: Install Cosign
        uses: sigstore/cosign-installer@v3.5.0
        with:
          cosign-release: 'v2.2.4'

      - name: Save COSIGN_KEY to a file
        run: echo "${{ secrets.COSIGN_KEY }}" | base64 -d > cosign.key
        shell: bash

      - name: Set file permissions
        run: chmod 600 cosign.key
        shell: bash

      - name: Sign image with Cosign
        env:
          TAGS: ghcr.io/willcaton2350/python-rumble-bot:main
          DIGEST: sha256:a43b405e0ba8bfbd9ad479da6a4c927110fcfb12483b6655c0ac55b74166c95b
          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
        run: |
          echo "Signing image with cosign..."
          echo "${TAGS}" | xargs -I {} cosign sign --yes --key cosign.key {}@${DIGEST}

      - name: Verify signature
        env:
          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
        run: |
          echo "Verifying image signature with cosign..."
          echo "${TAGS}" | xargs -I {} cosign verify --key cosign.key {}@${DIGEST}